check this, check that.
granted the OP posted quite a bit of irrelevant code with regard to
SQL injection protection. BUT his use of parameterized queries should protect
against injection because MySQL knows what to do with the data (i.e. escape it),
which only leaves the question as to whether the character encoding is correctly
setup so that nothing funky can get through (although I believe an article by
Chris Shiftlett pointed out a situation where even if you got everything right it
was possible to do sql injection in some edge cases by submitting specific 'broken'
strings).
Jared Farrish wrote:
> Also, you should be checking against type (expecting a number? a boolean
> value? a string?) and then checking against expected length requirements
> (such as firstname can only be 80 characters long max, so maybe check for
>
> <code>
> if (strlen($var) > 80) {
> do something;
> }
> </code>
>
> In unit testing, you build your objects first against types and perform
> object checks using type verification and expected element attributes (such
> as length, non-null values, etc...).
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
